The biggest botnet attacks in history may have started with fights between Minecraft servers.

You may remember hearing a lot of the name "Mirai" last fall, around the same time record-breaking DDOS attacks were taking down sites like Krebs on Security and DNS server Dyn, which then knocked Reddit, Twitter, Spotify, and more offline. Mirai was a big deal—a botnet of more than 500,000 'Internet of Things' devices like routers and security cameras, hammering servers with gigabits of data per second until they crash. It's especially noteworthy because Mirai's source code was released online, giving the botnet the potential to spread farther and faster. Now internet security expert Brian Krebs has finished a months-long investigation into the origins of Mirai, and his reporting includes an unexpected player: Minecraft.

"Mirai’s ancestors had so many names because each name corresponded to a variant that included new improvements over time," Krebs writes, in reference to pre-Mirai botnets like Bashlite and Torlus. "In 2014, a group of Internet hooligans operating under the banner 'lelddos' very publicly used the code to launch large, sustained attacks that knocked many web sites offline.

"The most frequent target of the lelddos gang were web servers used to host Minecraft, a wildly popular computer game sold by Microsoft that can be played from any device and on any internet connection."

Krebs goes on to write that successful Minecraft servers can rake in $50,000 per month from players renting space and purchasing items. This financial investment made them an obvious target for DDoS attacks, but it's surprising how seedy and convoluted this story gets in no time. The botnet runners weren't simply taking down servers and ransoming the owners. According to Krebs, many of the attacks on Minecraft servers were designed to woo those server owners from one security firm to another.

One company that specializes in protecting Minecraft servers from attacks, called ProxyPipe, came under attack from lelddos in June 2014. Krebs spoke with ProxyPipe vice president Robert Coelho, who claimed further DDoS attacks in 2015 came directly from competing Minecraft security firm ProTraf Solutions. Krebs' report keeps digging, and he alleges that the president of ProTraf (a company of only two employees) is actually the author of the Mirai botnet worm, who goes by the usernames 'dreadiscool' and ‘Anna-Senpai.'

We can't corroborate the identity connection Krebs makes in his reporting, but you can see the strong evidence linking Mirai to Minecraft, including interviews, chat logs, and forum post archives, in his 8,000 word write-up here.

"A Google search for this rather unique username 'dreadiscool' turns up accounts by the same name at dozens of forums dedicated to computer programming and Minecraft," Krebs writes. "In many of those accounts, the owner is clearly frustrated by incessant DDoS attacks targeting his Minecraft servers, and appears eager for advice on how best to counter the assaults.
From Dreadiscool’s various online postings, it seems clear that at some point [he] decided it might be more profitable and less frustrating to defend Minecraft servers from DDoS attacks, as opposed to trying to maintain the servers themselves."

From there, Krebs digs up evidence that the massive Mirai attacks last September on French web host OVH were actually targeting Minecraft servers hosted by OVH (this came at the same time Krebs' own site was DDoSed). In a conversation between ProxyPipe VP Coelho and Mirai's author, Krebs reports that "[Mirai's author] brags that as he and Coelho are speaking, the owners of a large Minecraft server were paying him to launch a crippling DDoS against Hypixel, currently the world’s most popular Minecraft server. KrebsOnSecurity confirmed with Hypixel that they were indeed under a massive attack from Mirai between Sept. 27 and 30.

"Coelho told KrebsOnSecurity that the on-again, off-again attack DDoS method that Anna described using against Hypixel was designed not just to cost Hypixel money. The purpose of that attack method, he said, was to aggravate and annoy Hypixel’s customers so much that they might take their business to a competing Minecraft server."

At this point Krebs departs the Minecraft drama to dig deeper into the origins of the Mirai botnet, but if his reporting is correct, it means some of the largest DDoS attacks in history started as squabbles over Minecraft servers. Minecraft servers attacking competitors, Minecraft security providers attacking their competitors. Pretty sordid tale for a game about building stuff out of voxels.